Disastrous rollout online malfunctions raise ObamaCare confidentiality concerns
Texas Insider Report: WASHINGTON D.C. If modern technology has ushered in a plague of identity theft
one particular strain of the disease has emerged as most virulent: medical identity theft. And
the ObamaCare Affordable Care Act has raised the stakes. Earlier this year the Identity Theft Resource Center produced a survey showing that breaches of personal medical information records
accounted for 43 of all 
2013 breaches in the U.S.
a far
greater chunk of breaches than those in banking or finance in the government military or education.
The definition of medical identity theft is the fraudulent acquisition of someones personal information name Social Security number health insurance number for the purpose of illegally obtaining medical services or devices insurance reimbursements or prescription drugs.
Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery" said Pam Dixon the founder and executive director of World Privacy Forum.
Victims often experience financial repercussions and worse yet they frequently discover erroneous information has been added to their personal medical files due to the thiefs activities."
The Affordable Care Act has raised the stakes.
One of the main concerns swirling around the disastrous rollout of federal and state health insurance exchanges last fall was whether the malfunctioning online marketplaces were compromising the
confidentiality of Americans medical information.
Meanwhile the laws emphasis on digitizing medical records touted as a way to boost efficiency and cut costs comes amid intensifying concerns over the security of computer networks.
Edward Snowden the former National Security Agency contractor who has disclosed the agencys activities to the media says the NSA has cracked the encryption used to protect the medical records of millions of Americans.
Multiple Motives
Thieves have used stolen medical information for all sorts of nefarious reasons according to information collected by World Privacy Forum a research group that seeks to educate consumers about privacy risks. For example:
A Massachusetts psychiatrist created false diagnoses of drug addiction and severe depression for people who were not his patients in order to submit medical insurance claims for psychiatric sessions that never occurred. One man discovered the false diagnoses when he applied for a job. He hadnt even been a patient.- An identity thief in Missouri used the information of actual people to create false drivers licenses in their names. Using one of them she was able to enter a regional health center obtain the health records of a woman she was impersonating and leave with a prescription in the womans name.
- A Ohio woman working in a dental office gained access to protected information of Medicaid patients in order to illegally obtain prescription drugs.
- A Pennsylvania man found that an imposter had used his identity at five different hospitals in order to receive more than $100000 in treatment. At each spot the imposter left behind a medical history in his victims name.
- A Colorado man whose Social Security number name and address had been stolen received a bill for $44000 for a surgery he not undergone.
Perpetrators use different methods to obtain the information ranging from stealing laptops to hacking into computer networks according to Sam Imandoust of the Identity Theft Resource Center.
With a click of a few buttons you might have access to the records of 10000 patients. Each bit of information can be sold for $10 to $20" he said.
According to HHS the theft of a computer or other electronic device is involved in more than half of medical-related security breaches.
- 20 of medical identity thefts result from someone gaining unauthorized access to information or passing it on without permission.
- 14of breaches can be attributed to hacking.
We say encrypt encrypt encrypt" said Rachel Seeger a spokesman for
HHSs Office For Civil Rights which is charged with investigating breaches of medical records in health plans medical practices hospitals and related institutions.
Relying on the Honor System
The records in a laptop that
a fired employee lifted from the North County Hospital in Newport Vt. last year had not been encrypted. The laptop contained the records of as many as 550 patients. Around the time that breach was uncovered HHS cited the hospital for a second breach involving two employees gaining access to records without authorization. Those cases are ongoing.
Wendy Franklin director of development and community relations at North County said the hospital generally does encrypt its records. Franklin also noted that North County requires all of its employees to sign
agreements not to disclose medical records and to undergo training in confidentiality laws and procedures. She also said the hospital has instituted an audit to track access to private health records.
But in the end Franklin said the hospital largely has to rely on the honor system.
According to James Pyles a Washington D.C. lawyer who has dealt with health issues for more than 40 years all 50 states have their own privacy laws and 46 of them require consumer notification when there is a security breach of private records.
The HIPAA law includes exceptions that allow a provider to share medical information without a patients permission. A common example is when hospital business offices share information for the purpose of seeking payment. But there are also exceptions for public health activities" health oversight activities" law enforcement purposes" and other purposes.
No wonder Pyles said some patients are reluctant to disclose to a medical provider that they have a sexually transmitted disease or a mental illness unless they have to.
Under the HITECH law a medical provider health plan or medical institution must notify patients when a breach of their medical records is discovered. HHS must also be contacted.
HHS discloses breaches involving 500 or more patients.
Although patients can have corrected information put in their files its difficult to get fraudulent information removed because of the fear of medical liability.
Its almost impossible to clear up a medical record once medical identity theft has occurred" said Pyles.
Pyles describes the status quo as the worst of two worlds" he said.
The U.S. has a regulated industry that is saddled with laws with so many loopholes that they dont know what they are responsible for and a public that doesnt believe their health information is being protected."
